panecs: a modeling language for passivity-based design of networked control...

PaNeCS: A Modeling Language forPassivity-based Design of Networked Control

Systems

Emeka Eyisi, Joseph Porter, Joe Hall, Nicholas Kottenstette, XenofonKoutsoukos and Janos Sztipanovits

Institute for Software Integrated SystemsVanderbilt University

2015 Terrace Place, Nashville, TN 37203 [email protected]

Abstract. The rapidly increasing use of distributed architectures inconstructing real-world systems has led to the urgent need for a soundsystematic approach in designing networked control systems. Commu-nication delays and other uncertainties complicate the development ofthese systems. This paper describes a prototype modeling language forthe design of networked control systems using passivity to decouple thecontrol design from network uncertainties. The modeling language in-cludes an integrated analysis tool to check for passivity and a code gener-ator for simulation in MATLAB/Simulink using the TrueTime platformmodeling toolbox. The resulting designs are by construction more robustto platform effects and implementation uncertainties.

1 Introduction

The heterogeneous composition of computing, sensing, actuation, and commu-nication components has enabled a modern grand vision for real-world CyberPhysical Systems (CPS). Real-world CPSs such as automotive vehicles, buildingautomation systems, and groups of unmanned air vehicles are monitored andcontrolled by networked control systems (NCS). NCS involve the interaction ofphysical dynamics, computational dynamics, and communication networks. Thisheterogeneity does not go well with current methods of compositional design. Themost important principle used in achieving compositionality is separation of con-cerns which works if the design views are orthogonal, i.e. design decisions in oneview do not influence design decisions in other views. Unfortunately, achievingcompositionality for multiple physical and functional properties simultaneouslyis a very hard problem because of the lack of orthogonality among the designviews.

Model-based design for embedded control systems involves creating mod-els and checking correctness at different stages in the development process [1].Model-based design flow progresses along precisely defined abstraction layers,typically starting with control design followed by system-level design for the

MoDELS'09 ACES-MB Workshop Proceedings

Denver, CO, USA, October 6, 2009 27

specification of platform details, code organization, and deployment details, andthe final stage of integration and testing on the deployed system. This designapproach cannot be applied directly to NCS because domain heterogeneity andtight coupling between design concerns create a number of challenges. Ensur-ing controller stability and performance for physical systems in the presenceof network uncertainties (e.g. time delay, packet loss) couples the control andsystem-level design layers. In addition, downstream code modifications duringtesting and debugging invalidate results from earlier design-time analysis andany component change often results in “restarting” the design process.

A number of research projects seek to address the problems of model-baseddesign for NCS. The ESMoL modeling language for designing and deployingtime-triggered control systems explicitly captures in model structure many ofthe essential relationships in an embedded design[2]. The ESMoL tools includeschedule determination for time-triggered communications, code generation, anda portable time-triggered virtual machine. AADL [3] is a textual language andstandard for specifying deployments of control system designs in data networks[4]. AADL projects also include integration with verification and scheduling anal-ysis tools. The Metropolis modeling framework [5] aims to give designers tools tocreate verifiable system models. Metropolis integrates with SystemC, the SPINmodel-checking tool, and other tools for scheduling and timing analysis.

In order to tackle the challenges of designing NCS, we propose an auto-mated model-based approach based on passivity control theory. We used Model-Integrated Computing [1] to develop a domain specific modeling language (DSML)called the Passive Network Control Systems language (PaNeCS). Our approachis based on the passive control architecture presented in [6] which provides thetheoretical foundations for analysis and design of NCS emphasizing robustness tonetwork delays and packet loss. This paper focuses on the design of the DSMLas well as a compositional tool for passivity analysis and code generation forMatlab/Simulink/Truetime models. We aim to address a number of significantchallenges:

– Changes made during design, development, and testing cycles may cause ex-tensive software revisions and force expensive re-verification. Model-integratedcomputing tools provide automated software generation, analysis, and sys-tem configuration directly from models. PaNeCS supports forward genera-tion of platform-specific simulation models as well as passivity analysis ofsystem components.

– Control systems are often verified using complex optimization techniques.For example, linear matrix inequalities (LMIs) can model many importantcontroller properties (e.g. stability, response time, reachability). In a systembuilt from the composition of multiple blocks, such analysis quickly becomesintractable. In order to assess global stability, designers would have to builda single, large analysis model which includes all possible state variables inthe system. In contrast, the passive control architecture can ensure globalstability (in a robust way) by a combination of component analysis andspecific rules for composition of passive components.



– Control designers create models for both physical systems and controllersusing tools like Simulink and Stateflow [7]. Deployment of a control designsuch as a Simulink model to a networked architecture introduces uncer-tainties due to time-varying delay, data rate limitations, jitter, and packetloss. Deployment of the design is often expensive, and failure during test-ing can be costly. An increasingly accepted way to address these problemsis to enrich abstractions in each layer with implementation concepts. Anexcellent example for this approach is TrueTime [8] that extends Simulinkwith platform-related modeling concepts (i.e., networks, clocks, schedulers)and supports simulation of networked and embedded control systems withthe modeled implementation effects. While this is a major step in improv-ing understanding of implementation effects, it does not help in decouplingdesign layers and improving orthogonality across design concerns. A controldesigner can factor in implementation effects (e.g., network delays), but ifthe implementation changes the controller may need to be redesigned. Ourapproach imposes passivity constraints on the component dynamics, so thatthe design becomes insensitive to network effects, thus establishing orthog-onality (with respect to network effects) across the controller design andimplementation design layers.

The paper is organized as follows: Section 2 presents a passive control archi-tecture for NCS. Section 3 presents our prototype modeling language. Section 4discusses an integrated analysis tool for automatically checking passivity. Sec-tion 5 presents a model interpreter for generating Matlab/Simulink simulationcode using the TrueTime platform modeling toolbox. Section 6 shows a casestudy of a NCS consisting of two discrete plants and a controller. Section 7provides our conclusion.

2 Passivity-Based Control of Networked Control Systems

Our approach for designing NCS is based on passivity theory. There are variousprecise mathematical definitions for passive systems [9]. Essentially all defini-tions state that the output energy must be bounded so that the system does notproduce more energy than was initially stored. Passive systems have a uniqueproperty that when connected in either a parallel or negative feedback mannerthe overall system remains passive. Passivity provides an inherent safety – pas-sive systems are insensitive to certain implementation uncertainties [10] [11][12],so passivity can be exploited in the design of NCS. The main idea is that byimposing passivity constraints on the component dynamics, the design becomesinsensitive to network effects, thus establishing orthogonality (with respect tonetwork effects) across the various design layers. This separation of concerns al-lows the model-based design process to be extended to networked control systemswhich is what our model-based approach provides.

We briefly discuss the passivity based control architecture for multiple plantscontrolled by a single controller via a network [6]. Fig. 1 depicts a sample net-worked control system where only one plant is shown. The Bilinear Transform



Fig. 1. A networked control system

block represents a transformation between signals and wave variables. Wave vari-ables were introduced by Fettweis in order to circumvent the problem of delay-free loops and guarantee a realizable implementation for digital filters [10]. Wavevariables also allow systems to remain passive while transmitted data over a net-work subject to arbitrary fixed time delays and data dropouts [11], [12]. In Fig.1, upk(i) (k=1,2), can be thought of as sensor output data in wave variable formfrom each plant. Likewise, vcj(i) (where j=1,2) can be thought of as a commandoutput in wave variable form from the controller.

The power junction in Fig. 1 is an abstraction used to interconnect wavevariables from multiple controllers and multiple plants in parallel such that thetotal input power is always greater than or equal to the total output power.This provides a formal way to construct a networked control system. The powerjunction makes it possible for a single controller to control multiple plants overa network and guarantee that the overall system remains stable. A detailedmathematical definition of the power junction can be found in [6]. In Fig. 1,the power junction has waves entering and leaving as indicated by the arrows.The waves entering the power junction from the controller are the network-delayed version of the waves leaving the controller, as indicated by the timedelay block. Also, the waves entering the controller are the delayed version ofthe waves leaving the power junction. Likewise, the waves entering the plant arethe delayed version of waves leaving the power junction and the waves enteringthe power junction are the delayed version of waves leaving the plant.

Fig. 2. The passive upsampler and passive downsampler.

Due to bandwidth constraints, the controller typically runs at a slower ratethan the sensors and actuators of the plants. In order to preserve passivity in themulti-rate digital control network we use the passive upsampler (PUS) and pas-



sive downsampler (PDS) pair to handle the data rate transitions. Fig. 2 depictsthe passive upsampler (PUS) and passive downsampler (PDS). wo(i) denotes adiscrete wave variable going out of a wave transform block. For example, in Fig.1, vc1(i)and up2(i), the wave variables going out of the Bilinear Transformationblock, are each connected as wo(i) to their respective downsampler blocks. Sim-ilarly, wi(i) represents the respective discrete wave variable going into a wavetransform block. uc1(i) and vp2(i), correspond to the wi(i) connections in Fig.2. The PUS and PDS provide the upsampled and downsampled versions of theirrespective wave variable inputs while preserving passivity. The block parameterM is the sampling ratio – the data rate of the fast side of the connection dividedby the data rate on the slow side.

3 PaNeCs

We introduce the passivity-based modeling language (PaNeCS). The modelinglanguage is developed using a meta-configurable tool, the Generic Modeling En-vironment (GME), from the Model Integrated Computing (MIC) tool suite [13].GME provides a metamodeling environment similar to UML. The class stereo-types are defined as follows: Models are entities that may contain other objectswhile Atoms are indivisible entities which cannot contain other objects; Con-nections are association classes used to describe the relationship between twoentities. It represents a line that connects two entities of a model. Connectorssignified by “.” specify a visualization for a connection in the model. Associa-tions to the connector have possible roles (“src” and “dst”) to define the alloweddirection of a connector.

3.1 Components

The language top level consists of four main components: the PlantSystem,the ControllerSystem, the PowerJunction and the WirelessNetwork.

PlantSystem Fig. 3 shows a part of the PaNeCS metamodel that describesthe plant subsystem. Plant represents a model for any discrete linear time-invariant (LTI) system and can be extended to a nonlinear system. The dynamicsof the Plant are represented by the following state space equations:

x(k + 1) = Ax(k) + Bu(k)y(k) = Cx(k) + Du(k).

(1)

The Plant dynamics are parameterized by matrix attributes A, B, C, D, and ascalar SamplingTime. The attributes can be specified using any valid Matlab ex-pression that evaluates to the proper dimensions. BilinearTransformP representsa model for the wave scattering technique for transforming the wave variablesreceived from the power junction into control input to the plant and for trans-forming the plant output signal into wave variables that are transmitted over thenetwork. PassiveUpSampler and PassiveDownSampler pair represent the PUSand PDS pair discussed in Section 2.



Fig. 3. PlantSystem portion of the Metamodel

ControllerSystem Fig. 4 shows the part of the language that describes thecontroller subsystem. DigitalController is a model representing the algorithm

Fig. 4. ControllerSystem portion of the Metamodel

for controlling the networked plants. Similar to the model of the Plant in thePlantSystem, the DigitalController is modeled as a LTI system and its dy-namics can also be represented in the state space form of Eq. (1). Therefore, theDigitalController parameters have similar attributes to the Plant. BilinearTrans-formC is similar to the BilinearTransformP described in the PlantSystem.ZeroOrderHold represents a component that holds its input for the time periodspecified in the sampling time attribute. ReferenceInput represents the desired



signal to be tracked by the plants.Power Junction Fig. 5 shows the part of the language that describes the

power junction. The PowerJunction can contain ports for the connection of the

Fig. 5. PowerJunction portion of the Metamodel

plants and controllers. They are briefly described as follows: PowerInputPower-Output represents a port through which the PlantSystem connects to the Pow-erJunction. Through it, the PowerJunction sends calculated control signalsto the PlantSystem and also receives sensor signals from the PlantSystem.PowerOutputPowerInput represents a port through which the ControllerSys-tem can connect to the PowerJunction. Through it, the PowerJunctionsends the averaged sensor signal to the ControllerSystem and receives thecalculated control signal from the ControllerSystem.

WirelessNetwork Fig. 6 represents the network and its parameters for theNCS. The WirelessNetwork model provides modifiable parameters for simu-

Fig. 6. Wireless Network portion of the Metamodel

lation. Data rate sets the throughput for simulating network activity. Disturban-cePacketSize configures the size of simulated disturbance attack packets on thenetwork (introduces delays). This provides a way for simulating the NCS undernon-optimal conditions. DisturbancePeriod configures the frequency of distur-bance attacks on the network.

3.2 Language Aspects

Our modeling language has two aspects (GME aspects are similar to modelingviews in other tools): Control Design Aspect and Platform Aspect. The



Control Design Aspect visualizes the controller modeling layer. This includesthe plants, controller, and power junction, as well as their interconnections –indicating the flow of control and sensor signals.The Platform Aspect visualizes the physical platform layer. This model viewshows the physical components of the NCS. The entities in this view includethe plants, controller, and the wireless network as well as their interconnectionsindicating the flow of data packets over the network. Though the plants andcontroller appear in both aspects, in the Platform aspect they represent physicalentities rather than control design concepts.

3.3 Structural Semantics

The main objective of our language design is to ensure the “correctness-by-construction” for passive designs of NCS designed using PaNeCS. In order toachieve this objective, we impose constraints on the properties of componentsof NCS as well as their interconnections. The metamodel notations describedabove does not capture all the required structural constraints. Using the ObjectConstraint Language (OCL), we can describe well-formedness rules for definingprecise control of static semantics of the language. GME is embedded with anOCL engine which can be used to define constraints that are enforced at designtime, giving direct feedback when the user attempts to create faulty connectionsin the model or violates any of the specified constraints. In Section 4, we willdescribe an analysis tool that is used to verify that system components satisfythe component-level passivity constraints.

We implemented three classes of constraints: Cardinality Constraints, Con-nection Constraints and Unique Name Constraints. Cardinality Constraints en-sure that the required and correct number of components are used in the NCSdesign. For example, for each PlantSystem model there must be one Plant.Connection Constraints restrict the number of allowable connections betweencomponents. For example, in the PlantSystem model there can be only onebidirectional connection between the Plant and BilinearTransformP. UniqueName Constraints ensure the uniqueness of the names of components in thePlant and Controller subsystems as well as in the top level model of the NCS.

An example of an OCL constraint implementation is shown below. This spec-ifies that the number of allowable connections from a BilinearTransformC modelto a DigitalController to be one.

Desc r ip t i on : There must be only one b i d i r e c t i o n a l connect ionbetween Bil inearTransformC to the D i g i t a lCon t r o l l e r

Equation : l e t dstCount = . . .s e l f . a t tach ingConnect ions (” s r c ” , C on t r o l l e r B i l i n e a r )−> s i z e indstCount <> 0 implies dstCount = 1



3.4 Operational Semantics

NCS modeled in PaNeCS are implemented in MATLAB/Simulink using modelsgenerated by an integrated code generator which is discussed in Section 5.

The Plant and DigitalController entities are implemented as Simulink blocksthat model the behavior of each entity based on user-specified parameters. ThePlantSystem and ControllerSystem are modeled as Simulink subsystems.In order to model the behavior of a real network, Simulink is extended withTrueTime as described previously.

Each PlantSystem and ControllerSystem are connected to a TrueTimeKernel block. The TrueTime Kernel essentially represents each subsystem asa node in the network. It is responsible for I/O and network data acquisitionas well as implementing other user-defined tasks, and models the computer orprocessor on which the subsystem is implemented. The task in each TrueTimekernel connected to a PlantSystem is performed periodically based on thespecified sampling time of the subsystem. For this version of our language, thePowerJunction is implemented as a task in the TrueTime Kernel connected tothe ControllerSystem. The task that implements the power junction operatesbased on the occurrence of an event such as the arrival of sensor data or controlsignal. Each TrueTime kernel has two main scripts: 1) The Initialization scriptspecifies the number of inputs and outputs, the function code name and alsoindicates the kernel’s node id which is used to identify the kernel on the net-work. 2) The function script essentially implements the user specified task suchas sending and receiving of wave variables over a network. The function code forthe TrueTime kernel connected to the ControllerSystem also performs the ad-ditional task of implementing the PowerJunction. Hence, the PowerJunctionsends and receives wave variables from the ControllerSystem locally while thePlantSystem sends and receives wave variables from the power junction overthe simulated wireless network.

The wireless network is implemented using the TrueTime Wireless networkblock. It simulates the network dynamics, implementing the transfer of datapackets over a wireless network from one node to another. It essentially simulatesthe routing of data received from the TrueTime kernels over the wireless networkto their respective destination.

In a typical cycle of operation of the NCS, the wave variables from a PlantSys-tem or multiple PlantSystems are computed and sent to the PowerJunctionfrom each TrueTime kernel. The received wave variables are sent to the Con-trollerSystem to compute the control signal which is then sent back to thePlantSystems.

4 Passivity Analysis

4.1 Component Analysis

In order to achieve the desirable properties observed in passive systems, we haveto analyze the components of the networked control system and make sure theysatisfy passivity constraints.



The analysis of the Plant and DigitalController components of the networkedcontrol system for passivity is done automatically by an integrated Matlab anal-ysis function. Each component is assumed to have a linear time-invariant (LTI)discrete-time model, so we use LMIs together with the CVX semidefinite program-ming tools for Matlab [14, 15]. On invocation (i.e. the modeler presses a button),a C++ model interpreter within GME [13] visits each component, and invokesthe analysis function. Any components failing the passivity test are reported tothe user.

The dynamics of the Plant and DigitalController models can each be definedby Eq.(1) and are characterized by the matrices A, B,C, D of size compatiblewith the number of inputs and outputs in the system and the number of statesin the model. The passivity constraints for these models is defined by LinearMatrix Inequality (LMI) constraints [16]. For example, a LMI formula for strictoutput passivity for an LTI digital controller is given by

[AT PA− P − Q AT PB − S

(AT PB − S)T −R + BT PB

]� 0

Q = CT QC, S = CT S + CT QD

R = DT QD + (DT S + ST D) + R

∃ε > 0, Q = −εI, R = 0, S =12I

(2)

The CVX semidefinite programming (SDP) tool is used in a Matlab script tosolve the LMI for each component.

4.2 System-Level Analysis

Due to the “correct-by-construction” approach we use in designing networkedcontrol, we only analyze the Plant and DigitalController elements for passivity.If the Plant and DigitalController both satisfy the passivity constraints, thenetwork control system as whole also satisfies the passivity principles.

The realization of the power junction element enforces some simple mathe-matical constraints which ensure passivity for interconnected components at run-time. These effects are also captured in the simulation of the power junction, sosimulation should reveal any destabilizing effects. Further, the component inter-connections are restricted in such a way that they are “correct-by-construction”.Only valid (parallel) connections are allowed to the power junction, so any inter-connected system of passive components in the language will be globally passive.The modeling language and its constraints encode the passive composition se-mantics, greatly reducing the analysis burden for determining passivity (andhence stability [6], [9], [17]) of the composed system design.



5 Code Generation

The main objective of the code generator is to generate MATLAB code thatmaps the models designed using the modeling language to Simulink models thatrepresent the networked control system.

We developed a model interpreter that is used to synthesize simulation codefrom an instance model of the passivity based modeling language. The interpreteris developed in C++ using the Builder Object Network (BON2) API providedwith GME [13]. The interpreter traverses all the entities of a particular networkedcontrol system instance model and extracts model parameters. These parametersand model structure are used to generate MATLAB files for configuring andbuilding Simulink and TrueTime models to simulate the NCS.

The model interpreter creates translation rules between models and desiredoutputs. The entities in the instance model each map to a set of equivalently-defined components in Simulink and components from an advanced Simulinkpassivity-based control library. For example, the Plant and DigitalControllerentities discussed in Section 3 each map to an equivalent discrete state-spaceSimulink block. For these two entities the parameters for the equivalent Simulinkblocks are instantiated using the parameter values entered by the user describ-ing the dynamics of the entities. These parameters include the A, B, C and Dmatrices as well as the sampling time.

6 Case Study

We introduce a case study to demonstrate our design approach and also showthat networked control systems designed using this approach are robust andremain stable when subject to uncertain network effects.

We created a networked control system which involves the control of twodiscrete plants using a single controller. The controller controls the two discreteplants to track a specified reference signal. The goal of the experiment was tomodel the network control system and generate a simulation of the behaviorof the system. Although we used only two discrete plants for this case study,PaNeCS can model and simulate an arbitrary number of plants.

Fig. 7a and 7b respectively show the control design and platform aspectsof the instance model respectively. Also, Fig. 7c shows the details of the plantsystem while Fig. 7d show the details of the controller system. The two plantsmodeled in the experiment are simple integrators (corresponding to physicalmodels of inertial masses of 2kg and .25kg respectively) which are discretized.The plants’ dynamics were modeled in state space form and the correspondingA, B, C and D matrices as well as the sampling time, Ts were provided asparameters to the instance model.

We used a proportional controller as the digital controller to command theplants to track a user-specified reference. The digital controller was also modeledin state space form and the A, B, C and D matrices and also the sampling time,Ts were provided as input parameters to the instance model. The parameters for



(a) Control Design Aspect

(b) PlatformAspect

(c) Plant Subsystem

(d) Controller Subsystem

Fig. 7. Sample Model of a Networked Control System

the dynamics of the plants and controller are provided in Table 1. The analysistool checked and verified that the Plant and DigitalController models satisfiedthe passivity constraints. Then the code generator was used to generate code forcreating a platform-specific Simulink simulation model from the parameters anddesign models in the modeling language.

PaNeCS provides the flexibility to easily model networked control systemsusing passivity and more quickly configure the model parameters of the systemfor many different adaptations. Using PaNeCs we tested the dynamics of the



NCS by running different experiments under different network conditions by ad-justing parameters in the language and then generating code for simulating eachconfiguration of the model. Table 2 shows the parameters for the simulations.

Experiment 1: Nominal Conditions In experiment 1, the system operatedwithout the introduction of disturbance attacks. The three sample periods con-sidered were 0.1s, 0.5s and 1s. The data rates were achieved by modifying theSample, M parameters of the PassiveUpSampler and PassiveDownSampler enti-ties. We only present plots for the results of the NCS having a sample period of0.1s. Fig. 8 displays the velocity of the plants and the reference velocity providedto the controller. The plants closely tracked the reference velocity. The roundtrip delay for each plant seemed to have very little effect on the stability of theplants’ velocity response. The delay can be attributed to the internal processingof the plants and controllers rather than network delay itself.

Table 1. Plant and Controller Dynamics.

A B C D Ts

Plant1 1 1 .005 .0025 .01s

Plant2 .996 1 .04 .02 .01s

Controller 0 0 0 10π .1s

Fig. 8. Nominal velocity response and time delays (Data rate=0.1s)

Experiment 2: Network disturbances In experiment 2, a disturbance attackwas introduced in the network. A disturbance node is configured using the Dis-turbancePeriod and DisturbancePacketSize from the WirelessNetwork model.Disturbance packets were sent over the network based on the value of a uniformlygenerated random number. Similar to Experiment 1, three different sample rateswere tested, but we only present the results for the 0.1s sample period. Fig. 9shows the velocity response of the plants and the time delay for each plant. The



results show that even in the presence of disturbance attacks, the plants remainstable in tracking the reference velocity. This demonstrates the advantage of thepassivity approach we use in designing networked control systems which guar-antees the stability of the NCS in the presence of uncertainties due to networkeffects.

Fig. 9. Velocity response and time delays with disturbance attack (Data rate=0.1s)

Table 2. Simulation Parameters Summary.

Sample Periods

0.01s 0.05s 0.1s

Plant1,M 10 50 100

Plant2,M 10 50 100

Disturbance Ts = 0.01 Packetsize = 110, 000bits

7 Conclusion and Future Work

Our model-based approach simplifies the process of designing passive networkedcontrol systems. We presented PaNeCS, a prototype modeling language for thatpurpose. We have presented an analysis tool that is used to test system com-ponents for passivity. We have also described model interpreters that generatecode for simulation in MATLAB/Simulink using the TrueTime platform model-ing toolbox. A case study involving the control of multiple discrete plants overa wireless network was used to demonstrate the details of models generated us-ing the modeling language as well as the resulting simulation of the generatednetworked control system. The results showed that a networked control systemcould be designed using our approach which is robust and insensitive to un-certainties due to a few particular network effects. Our future work focuses ontwo major directions: (i) extending the language to include nonlinear and morecomplex systems,(ii) generating executables for deployment on actual systems.



References

1. Karsai, G., Sztipanovits, J., Ledeczi, A., Bapty, T.: Model-integrated developmentof embedded software. Proceedings of the IEEE 91(1) (Jan. 2003)

2. Porter, J., Karsai, G., Volgyesi, P., Nine, H., Humke, P., Hemingway, G., Thi-bodeaux, R., Sztipanovits, J.: Towards model-based integration of tools and tech-niques for embedded control system design, verification, and implementation. In:Workshops and Symposia at MoDELS 2008, Springer LNCS 5421, Toulouse, France

3. AS-2 Embedded Computing Systems Committee: Architecture analysis and de-sign language (aadl). Technical Report AS5506, Society of Automotive Engineers(November 2004)

4. Hudak J. and Feiler P.: Developing aadl models for control systems: A practitioner’sguide. Technical Report CMU/SEI-2007-TR-014, CMU SEI (2007)

5. Balarin, F., Watanabe, Y., Hsieh, H., Lavagno, L., Paserone, C., Sangiovanni-Vincentelli, A.L.: Metropolis: an integrated electronic system design environment.IEEE Computer 36(4) (April 2003)

6. Kottenstette, N., Hall, J., Koutsoukos, X., Antsaklis, P., Sztipanovits, J.: Digitalcontrol of multiple discrete passive plants over networks. Intl. Journal of Systems,Control and Communications, Special Issue on Progress in Networked ControlSystems (2009)

7. The MathWorks, Inc.: Simulink/Stateflow Tools. http://www.mathworks.com8. Ohlin, M., Henriksson, D., Cervin, A.: TrueTime 1.5 Reference Man-

ual. Dept. of Automatic Control, Lund University, Sweden. (January 2007)http://www.control.lth.se/truetime/.

9. Kottenstette, N., Antsaklis, P.J.: Stable digital control networks for continuouspassive plants subject to delays and data dropouts. In: Proceedings of the 46thIEEE Conference on Decision and Control. (2007) 4433 – 4440

10. Fettweis, A.: Wave digital filters: theory and practice. Proceedings of the IEEE74(2) (1986) 270 – 327

11. Secchi, C., Stramigioli, S., Fantuzzi, C.: Digital passive geometric telemanipulation.In: IEEE Intl. Conference on Robotics and Automation. (2003) 3290 – 3295

12. Berestesky, P., Chopra, N., Spong, M.W.: Discrete time passivity in bilateralteleoperation over the internet. In: IEEE International Conference on Roboticsand Automation. (2004) 4557 – 4564

13. Ledeczi, A., Maroti, M., Bakay, A., Karsai, G., Garrett, J., IV, C.T., Nordstrom,G., Sprinkle, J., Volgyesi, P.: The generic modeling environment. Workshop onIntelligent Signal Processing (May 2001)

14. Grant, M., Boyd, S.: Cvx: Matlab software for disciplined convex programming.http://stanford.edu/ boyd/cvx (February 2009)

15. Grant, M., Boyd, S.: Graph implementations for nonsmooth convex programs.Recent Advances in Learning and Control (a tribute to M. Vidyasagar), SpringerLecture Notes in Control and Information Sciences (2008) 95–110

16. Kottenstette, N., Antsaklis, P.J.: Time domain and frequency domain conditionsfor passivity. Technical Report ISIS-2008-002, Institute for Software IntegratedSystems, Vanderbilt University and University of Notre Dame (November 2008)

17. Kottenstette, N., Koutsoukos, X., Hall, J., Antsaklis, P.J., Sztipanovits, J.:Passivity-based design of wireless networked control systems for robustness to time-varying delays. RTSS (December 2008) 15–24



panecs: a modeling language for passivity-based design of networked control...

Documents